(c)iStock.com/caracterdesign

On June 23, a referendum is being held to determine whether Britain should leave or remain in the European Union. But what does this mean for businesses – and in particular, what does it mean with regard to the upcoming EU General Data Protection Regulation?

In April this year, after months of mooting and deliberation, the European Union set out new data protection laws that businesses will have to adhere to within two years or face significant fines – up to 4% of worldwide annual turnover. These new protocols include the right to be forgotten, a right to transfer data to another service provider without vendor lock-in, and the right for a user to know when their data has been hacked.

Recent research argues many UK businesses are less than confident about complying to the rules by the 2018 deadline. More than a quarter (26%) of companies polled by Trend Micro back in April admitted they didn’t know how much time they had, with one in five unaware of what the new legislation details. Earlier this week, research from cloud security services provider Netskope argued that three quarters of cloud-based apps currently in use by businesses would fail the GDPR test on data privacy.

The issue is, however, that if the UK votes to leave the EU in just under two weeks’ time, will it be an excuse for bad practice to continue? Jonathan Mepsted, UK managing director of Netskope, argues it shouldn’t, with the vast majority of UK companies still being bound by the legislation. “The text of the legislation clearly states that it applies to any organisation trading in the European Union, regardless of where that organisation is based,” he told CloudTech. “Companies in a post-Brexit UK would need to comply with the GDPR in the same way as any US, Norwegian or Swiss organisation seeking to do business in the European Union.”

This is a view which is backed up by law firm Simmons & Simmons. In an article published in its eLexica online resource in March, even though it argues a post-Brexit UK may not want to reproduce some of the more onerous requirements of the GDPR, but adds that whatever the vote, businesses should begin to review their existing compliance programmes as a matter of course. Mepsted added: “British companies would be well advised to start preparing for the GDPR immediately – if they haven’t started already.”

For Netskope, there is a link between businesses being concerned and the proliferation of cloud apps and the data within them. “Cloud apps create unstructured data which, by their very nature, are more difficult to manage,” said Mepsted. “However, IT teams are also aware that unstructured data [is] explicitly included within the GDPR and therefore require special attention.

“Whatever the outcome of the UK’s EU referendum on June 23, getting a grip on cloud app use across the organisation will remain a crucial element to avoid falling foul of the GDPR and is arguably the best place to start the journey towards compliance,” he added.